<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.sql.*"%>
<% 
request.setCharacterEncoding("utf-8");
String userName = request.getParameter("userName");
String password = request.getParameter("password");

// 使用PreparedStatement防止SQL注入
String sql = "SELECT * FROM db_register WHERE userName = ?";
java.sql.Connection conn = null;
java.sql.PreparedStatement pstmt = null;
java.sql.ResultSet rs = null;
boolean ret = false;

try {
    conn = com.myweb.DBTools.getConn(jdbc:mariadb://10.220.140.102:3366/studb14); // 假设这是获取数据库连接的方法
    pstmt = conn.prepareStatement(sql);
    pstmt.setString(1, userName);
    rs = pstmt.executeQuery();
    
    if (rs.next()) {
        String rsadmin_pwd = rs.getString("password");
        if (rsadmin_pwd.equals(password)) { // 这里应该比较散列值
            ret = true;
            session.setAttribute("userName", userName);
            session.setAttribute("userName", rs.getString("userName"));
        }
    }
} catch (SQLException e) {
    e.printStackTrace();
} finally {
    // 关闭数据库资源
    try {
        if (rs != null) rs.close();
        if (pstmt != null) pstmt.close();
        if (conn != null) conn.close();
    } catch (SQLException e) {
        e.printStackTrace();
    }
}

if (ret) {
    response.sendRedirect("FRIST.jsp"); // 使用驼峰命名法
} else {
    response.sendRedirect("customerLogin.jsp?error=invalid"); // 传递错误信息
}
%>